Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications. Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.
Motivation
Content Security Policy (CSP) provides strong protection against cross-site scripting (XSS) vulnerabilities. Transport Layer Security (TLS) and Subresource Integrity (SRI) provide protection against resources being tampered with in transit or when hosted on third-party servers. However, the threat model for some particularly security sensitive applications includes the main application server itself being compromised and serving malicious content. This goes beyond the protections that current policies can provide and requires thinking about alternative ways that these applications could be distributed and validated.
Specification
Proposal in a personal repository, no adoption from community
Status in Chromium
In development
Consensus & Standardization
- No signal
- No signal
- No signals
Owners
Intent to Prototype url
Intent to Prototype threadLast updated on 2022-04-27